16 configuring mac/byod authentication, Mac authentication processes, Anonymous mac authentication – H3C Technologies H3C Intelligent Management Center User Manual
Page 353: Configuring mac/byod authentication
335
16 Configuring MAC/BYOD authentication
To authenticate endpoint users identified by MAC addresses, UAM provides the following authentication
modes:
•
Anonymous MAC authentication—Automatically authenticates the user who has no accounts in
UAM by using the BYODanonymous account. After the authentication, the user can register a guest
account in UAM and then use the guest account for authentication.
•
Transparent MAC authentication—Automatically authenticates the user by using the account
associated with the user's MAC address, requiring no manual intervention.
•
Mute terminal MAC authentication—Automatically authenticates mute terminals such as IP phones
and printers, which cannot actively initiates the authentication process.
The BYOD solution combines anonymous MAC authentication with transparent MAC authentication. An
endpoint user first goes through anonymous MAC authentication and then transparent MAC
authentication.
MAC authentication processes
The MAC authentication processes vary by the authentication mode. This example uses X as the name of
the MAC authentication domain.
Anonymous MAC authentication
Anonymous authentication uses the following workflow:
1.
An IMC operator enables MAC authentication and RADIUS authentication on the access device,
and configures Domain X as the MAC authentication domain.
2.
When a guest attempts to access the network, the access device forwards the MAC address of the
guest to UAM.
3.
UAM checks the MAC address and performs anonymous MAC authentication for the guest if the
following conditions are met:
{
The MAC address is not in the MAC address range configured for mute terminals.
{
The MAC address is not bound to any user account except the BYODanonymous account.
{
Transparent authentication is enabled for the MAC address.
{
The BYODanonymous account is configured in UAM, and one of the services applied for the
account uses the service suffix X.
4.
After the authentication, UAM binds the MAC address to the BYODanonymous account, and
controls the guest's access behaviors by using the service with the suffix X.
shows the domain X and service suffix correlation in anonymous MAC authentication.